Automating ACMEv2 Certificate Management on BIG-IP

Introduction While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol de...
Updated May 12, 2025
Version 2.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
KarimBenyelloul's avatar
KarimBenyelloul
Icon for Cirrostratus rankCirrostratus
May 19, 2025

Hello, is there a way to automate the renewal of the management BIG-IP device certificate in a similar manner?

Arturo's avatar
Arturo
Icon for Employee rankEmployee
May 19, 2025

As Kevin rightly pointed out, using the ACME protocol—particularly the http-01 challenge—for renewing the BIG-IP management certificate is not practical. 

While the dns-01 challenge offers a workaround (by validating ownership via DNS rather than HTTP), it still doesn’t directly solve the problem. Lot of devices does not have the hostname provided on the DNS server.

That said, there is a more suitable solution available:

A better and more secure alternative is to use a script-based approach that leverages the EST (Enrollment over Secure Transport) protocol. This method allows you to:

  • Authenticate securely to your internal certificate authority.
  • Request and retrieve new certificates over HTTPS.
  • Automatically install the renewed certificate on the BIG-IP management interface.

This avoids public exposure and can be fully automated in environments where an internal PKI with EST support is available (e.g., Microsoft ADCS with EST proxy, EJBCA, etc.).

If you’re managing BIG-IP devices at scale or aiming for a hands-off certificate lifecycle, this approach is recommended.

  • Ichnafi's avatar
    Ichnafi
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2025

    Hello Arturo,

    Are there any examples or additional articles that show how a script-based solution using EST would look like?